LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-17-2004, 03:37 PM   #1
cassiusclay
LQ Newbie
 
Registered: Jun 2004
Location: Atlanta, GA
Distribution: Slackware and OpenBSD
Posts: 22

Rep: Reputation: 15
iptables logging question


okay here's my problem

I am attempting to limit the logging of packets from my isp's servers cuz they're flooding my /var/log/messages

i figure my other logging is superceding my limit commands but I haven't been able to find out how to order them

also is there a way to redirect my logging to a separate log that I can create?
i have seen iplog(freshmeat) on google but its reported to not work with slack 8 and above





i have this in my rc.firewall


Code:
iptables -A INPUT -p tcp -j LOG --log-level info --log-prefix 'IPTABLES-INPUT-TCP-DROP: ' --log-ip-options --log-tcp-options
iptables -A INPUT -p udp -j LOG --log-level info --log-prefix 'IPTABLES-INPUT-UDP-DROP: '

iptables -A INPUT -s 172.26.120.5 -m limit --limit 12/hour -j LOG
iptables -A INPUT -s 10.136.192.1 -m limit --limit 12/hour -j LOG
iptables -A INPUT -s 10.133.0.33 -m limit --limit 12/hour -j LOG
 
Old 06-17-2004, 04:05 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Move them up to the nat table..

That way you get the originating packets only, rather than every packet
 
Old 06-21-2004, 04:15 AM   #3
cassiusclay
LQ Newbie
 
Registered: Jun 2004
Location: Atlanta, GA
Distribution: Slackware and OpenBSD
Posts: 22

Original Poster
Rep: Reputation: 15
Thumbs up

thanks! jarred my mind into remembering how the script is read
thanks again wanted to acknowledge your assistance
 
Old 06-21-2004, 05:07 AM   #4
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
you can use PREROUTING if you simply don't want that traffic to reach your stacks.
 
Old 06-21-2004, 07:06 AM   #5
cassiusclay
LQ Newbie
 
Registered: Jun 2004
Location: Atlanta, GA
Distribution: Slackware and OpenBSD
Posts: 22

Original Poster
Rep: Reputation: 15
Thanks, I did/didn't know how to do that - being stupid since im dropping other items- would this work?

Code:
#drops all incoming udp packets destined for port 68
iptables -t nat -A PREROUTING -p udp --dport 68 -j DROP
or could i just drop the packets after my initial

Code:
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -p udp --sport 67 --dport 68 -j DROP

which one is better

adding that udp drop to the top of my script, wouldn't the log commands be unnecessary since the drop line would be at the top of the input chain?

these are annoying dhcp requests on my broadband provider's network
 
Old 06-21-2004, 07:55 AM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
I'm surprised you are receiving them...

They are directed to ip 0.0.0.0 first to get a DISCOVER
then to the actual dhcp server ip number to get an allocation..

Do ipconfig and see if your card is in promiscuous mode.
If you don't have a good reason for it being in promiscuous mode, find what is turning it on, eg arpwatch etc
In normal mode, only packets addressed to your MAC address are allowed to pass, the rest are ignored..
ifconfig ethx -promisc to turn it off..

Add a LOG rule to read the packet info
iptables -t nat -I PREROUTING -p udp --dport 68 -j LOG --log-prefix "dhcp "
 
Old 06-21-2004, 08:15 AM   #7
cassiusclay
LQ Newbie
 
Registered: Jun 2004
Location: Atlanta, GA
Distribution: Slackware and OpenBSD
Posts: 22

Original Poster
Rep: Reputation: 15
nah its not in promiscous mode they are being broadcast to 255.255.255.255
i made an error in the last post - they are from my isp's dhcp servers they are dhcp offers not requests
bootp server(67) to bootp client (68)

im gonna have to explicitly drop the packets from those ip addys cuz i will need to obtain a dhcp address in the future although not from those servers which is stupid and my syslog is full of 24 hours worth of their trash and a few failed hits
 
Old 06-21-2004, 03:05 PM   #8
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Ok..

Try iptables -t nat -I PREROUTING -p udp --dport 68 -s x.x.x.x -j DROP to get rid of them

That gets it early in the nat chain..
 
Old 06-21-2004, 03:51 PM   #9
cassiusclay
LQ Newbie
 
Registered: Jun 2004
Location: Atlanta, GA
Distribution: Slackware and OpenBSD
Posts: 22

Original Poster
Rep: Reputation: 15
thanks- haven't see -I before

so its iptables table is nat and -I insert to rule number specified or to head of the chain by default - good to remember


it works! thanks alot exactly what I needed - no more logging of that trash!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES - Logging metallica1973 Linux - Security 10 10-27-2005 05:17 PM
Iptables logging asterisk Linux - Networking 2 09-04-2004 12:16 AM
iptables logging zsoltrenyi Linux - Software 1 08-19-2004 10:15 AM
Iptables logging Mogwa_ Linux - Security 2 08-01-2004 02:54 PM
iptables and logging Yohhan Linux - Networking 2 05-04-2004 11:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration